Balanced Scorecard Report

Aligning Enterprise Risk

S Y N E R G I E S

strategies. COSO defines ERM as

a process, put in place by an
Management with Strategy organization’s board of directors,
management, and others, designed
Through the BSC: The Bank of to identify and manage the
spectrum of risks an organization
Tokyo-Mitsubishi Approach faces so that it can be reasonably
assured of achieving its objectives. 2
By Takehiko Nagumo, Senior Manager, Corporate Planning Office,
M A N A G E M E N T

Bank of Tokyo-Mitsubishi (Tokyo) Interestingly, COSO created its

Internal Control Framework in
Following the wide-scale success of its Americas headquarters’ 1992, the same year that Robert
BSC implementation (BSR November–December 2002), Kaplan and David Norton intro-
international banking giant Bank of Tokyo-Mitsubishi (BTM) duced the Balanced Scorecard.
launched a global BSC implementation from its Tokyo Like the BSC, the COSO framework
headquarters. Led by President and CEO Nobuo Kuroyanagi, has evolved over time. The most
BTM has thus embarked on a journey to use BSC as an critical aspect of its evolution is
enterprisewide strategic management tool. In the process, the new ERM model’s emphasis
BTM is undertaking a groundbreaking application of the on the importance of aligning
BSC: integrating it with enterprise risk management. As a strategy and risk management.
corporate governance instrument, this integrated model— In an official publication about
and BTM’s application of it—is sure to capture attention. its ERM model, COSO claims “every
entity exists to provide value,”
When BTM adopted the BSC idea of linking risk management and that value “is maximized
developed by its regional head- and strategy was first conceived, when management sets strategy
quarters, it first had to modify it has been improved many times and objectives to strike an optimal
the tool make it more suitable conceptually and in practice. balance between return goals and
for global use. For example, Today, this approach has become related risks, and efficiently and
Corporate Social Responsibility the enterprisewide standard. effectively deploys resources in
(CSR), a tenet that most corpora- pursuit of the entity’s objectives.” 3
tions are obligated to embrace, The COSO Enterprise Risk
Graphically, the concept is depicted
is now incorporated in one of Management Approach
as the “COSO cube,” familiar to
the strategic themes. In addition, The key concept that links strategy the senior executives of publicly
the Plan-Do-Check-Act cycle, and risk management is the COSO 1 held U.S. companies, since
an enterprisewide initiative, has Enterprise Risk Management (ERM) COSO is essentially mandatory
been integrated into each of the system, a model developed last for compliance with the Sarbanes-
customer, internal process, and year by the North American Oxley Act. (See Figure 1.) Four
learning and growth perspectives consortium of accounting and categories of objective appear in
to promote a customer-focused finance professionals’ associations. the vertical columns: strategic,
mindset. The previous version, known operations, reporting, and compli-
But the most important addition as the COSO Internal Control ance. Eight components of risk
BTM has made to the design Framework, standardized the management and internal controls
originally developed at its concept of internal control in are indicated in the horizontal
Americas headquarters is a link the following categories: rows: internal environment,
between risk management and objective setting, event identifica-
• Effectiveness and efficiency tion, risk assessment, risk response,
strategy. BTM incorporates in of operations
its internal perspective a risk control activities, information and
management process similar to • Reliability of financial reporting communication, and monitoring.
the Six Sigma linkage in many In the third dimension are the
• Compliance with applicable organization’s units.
organizations’ scorecards. This laws and regulations
linkage is a result of BTM’s goal In the banking industry, the
to enhance its corporate gover- The new COSO ERM system, COSO ERM model is a common
nance, the achievement of which building on the internal control risk management framework that
requires both superior strategy framework, encompasses the is generally accepted by regulators,
execution and robust risk man- concept of broader, enterprisewide external and internal auditors,
agement capabilities. Since the risk management—extending its and banking executives. As a
coverage to risks that relate to

12

Figure 1. The COSO Enterprise Risk Management Cube
The COSO cube depicts how four categories of objective—strategic, operations,
reporting, and compliance—overlay the eight components of risk management and
internal controls across all units of an enterprise.
result, regulatory supervision
policies in many advanced
countries such as the U.S. and
Japan are fundamentally based
on the COSO framework.
Supranational regulatory bodies
such as the Bank for International
Settlements have also adopted
the concept. Hence, particularly
for large complex global banks,
implementing the COSO ERM
system within the organization is
a de facto requirement for what
regulators refer to as “safe and
sound banking.”
But the COSO ERM concept had
never been tied explicitly to
the BSC methodology. Scorecard
literature typically highlights
value-creation strategies such as
growth and efficiency. But value
loss prevention—the risk manage-
ment aspect of these strategies—
is rarely mentioned. Similarly, risk
management literature tends to
focus on risk measurement and
assessment, seldom discussing the
importance of how these risks
align to strategic objectives.
For BTM, a strategy that lacks
alignment to risk management
is not only insufficient but down-
right dangerous. As the series of
recent corporate failures indicates,
the aggressive execution of a
strategy that lacks appropriate
checks and balances can result
in disaster. Furthermore, BTM
recognizes that risk management
is pointless unless it is closely
tied to the company’s strategic
objectives. After all, risks include
all sorts of things—marketplace
obstacles, legal hazards, inade-
quate or inefficient processes, and
fraudulent activities—that might
hinder an entity from achieving
its objectives. How significant a
risk is depends on the relative
importance of the objectives it
could affect. In short, strategy and
risk management are two sides
of the same coin; they must be
considered in tandem. BTM’s BSC
reflects this notion.
Mapping the COSO ERM
and the BSC
The BSC and the COSO ERM
are largely complementary. For
example, the BSC makes strategy
everyone’s job via cascading.
Similarly, the COSO ERM model
suggests that everyone in an
entity has some responsibility for
enterprise risk management.
Given this commonality—that
both strategy and risk manage-
ment are everyone’s job—the
COSO ERM model can be
mapped to the BSC according
to its eight components of risk
management and internal control
September–October 2005
(shown by the front face of the
COSO ERM cube in Figure 1).
In fact, this mapping is the key
to integrating the two concepts
virtually into one (see Figure 2
on p. 14). Let’s consider each
COSO ERM component and how
it can be linked to the BSC.
Internal Environment. This
refers to top management’s
commitment to risk management.
In the context of the BSC-COSO
linkage, it is about management’s
determination to use the BSC
with the COSO ERM system to
enhance the organization’s safety
and soundness. This is akin to
the best-practice concept of “Top
leadership committed” in Strategy-
Focused Organization Principle #1,
“Mobilize Change Through
Executive Leadership.”
Objective Setting. COSO
requires setting four categories of
objectives—strategic, operations,
reporting, and compliance. From
the BSC viewpoint, strategic
objectives are those closely
associated with achieving the
mission and vision of the organi-
zation, generally implemented
via high-priority projects. Once
they are cascaded down to the
operational levels, they are trans-
lated into “operations” objectives.
“Reporting” and “compliance”
objectives fit well with social and
regulatory strategic themes and
objectives in the BSC, which
generally show up in the internal
and customer perspectives. CSR-
related objectives also fit well in
these categories.
The benefit of using the COSO
ERM model in concert with the
BSC is that it helps ensure that
all the strategically important
objectives of these four categories
are included in the BSC, while
keeping the organization strategy-
focused.
Event Identification, Risk
Assessment, Risk Response,
and Control Activities. These
four components comprise the
heart of risk management.4
13
Balanced Scorecard Report
• Event Identification: Identifying
the internal and external events
that affect an organization’s
ability to achieve its objectives.
In the banking industry, risk is
typically classified into three
categories: market, credit, and
operational. All organizational
units are responsible for identi-
fying and managing operational
risk, which includes legal and
regulatory compliance risk. The
treasury function is responsible
for market risk. All lending-
related areas are responsible
for credit risk.
• Risk Assessment: Developing
scenarios and calculating the
likelihood, consequences, and
potential costs (tangible and
intangible) of each potential
risk event. These scenarios are
the basis on which the organi-
zation determines how it should
manage risks.
• Risk Response: Having in place
a plan to address risks either by
avoiding, accepting, reducing,
or sharing them. This involves
aligning risks with the organiza-
tion’s risk tolerance and risk
appetite.
• Control Activities: Establishing
policies and procedures that
help an organization efficiently
and effectively carry out risk
responses.
An organization is ready to execute
these processes for proactive
risk management once the four
types of COSO objectives have
been set. To make everyone more
accountable for risk management
performance, an organization
would simply add objectives
requiring these steps in every
unit’s BSC. This is the most
significant benefit BSC brings
to the COSO ERM model. For
example, by setting a bankwide
objective of implementing control
self-assessment in every unit’s
BSC, everyone is required to
go through these steps in the
potential risk areas BTM faces.
14
Information and Communi-
cation. The COSO ERM model
requires that relevant information
be communicated vertically and
horizontally within the organization
to help people enact their risk
management responsibilities. The
BSC ensures that strategic infor-
mation is cascaded down from
the top down. Also, as indicated
in the third dimension of the
COSO ERM cube, the information
flow applies across organizational
levels. Additionally, the BSC/
COSO-based double-feedback
loop covers not only strategy-
related information flows, but also
those related to risk management.
This accelerates organizational
learning and alignment between
strategy and risk management.
Monitoring. Monitoring is
typically conducted by two
parties: management and internal
auditors. Management monitors
performance of the organizational
units using the BSC. Internal
auditors, besides monitoring risk
management within each organi-
zational unit, validate whether the
entire architecture of the strategy-
risk linkage is working efficiently
and effectively.
A Package Deal for Governance
and Goal Achievement
The COSO ERM model expands
the use of the BSC to cover the
management of risks that might
arise in the course of executing
Figure 2. BSC–COSO ERM Mapping Chart
The elements of risk management defined by the COSO ERM model correspond to the three
strategy-related processes defined by the BSC and to the BSC’s feedback properties.
strategy. Therefore, when they are
used properly together, manage-
ment enhances the potential for
achieving the organization’s goals
and objectives. In addition, by
using BSC and the COSO ERM
model as a “package” rather than
separately, the organization
achieves simplicity in governance
while minimizing confusion.
Although BTM’s linkage is unique,
it should be applicable to any
organization that seeks to align
strategy and risk management.
Moreover, just as the BSC has
evolved over time, so we expect
the BSC–COSO ERM linkage to
do so at BTM. For the sake of the
wider application of this linkage
model, we expect, and hope, to
see further study of it by strategists
and risk managers. I
1
COSO stands for the Committee of
Sponsoring Organizations of the Treadway
Commission. It was established by five
accounting and finance professional
associations—the American Accounting
Association, the American Institute of
Certified Public Accountants, Financial
Executives International, the Institute of
Management Accountants, and the Institute
of Internal Auditors—to develop standards
for internal controls. For more information,
see http://www.coso.org.
2
The COSO Enterprise Risk Management–
Integrated Framework, Executive Summary,
September 2004, p. 2.
3
Ibid., p.1.
4
For a more exact definition of the four
components, refer to http://www.coso.org.
Reprint #B0509D